Skip to main content
Onwards Upwards

Data Processing Agreement

Version 1.0 — Effective May 23, 2026

This Data Processing Agreement ("DPA") applies when you use Onwards Upwards on behalf of an organisation (employer, clinical practice, coach, or other controller) and that organisation acts as the controller of personal data while Onwards Upwards acts as the processor under Article 28 of Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. For B2C (individual) accounts, Onwards Upwards acts as controller; see our Privacy Policy instead.

To execute this DPA, email dpo@onwardsupwards.app with your organisation's legal name, jurisdiction, and signatory. A counter-signed PDF will be returned within 5 business days.

1. Definitions

Terms used in this DPA have the meanings set out in GDPR Art. 4, including "controller", "processor", "data subject", "personal data", "processing", and "special categories of personal data" (Art. 9). "Sub-processor" means any third party engaged by us to process personal data on behalf of the controller.

2. Subject matter and duration

We process personal data only to provide the Onwards Upwards service as described in the Terms of Use and Privacy Policy, for the duration of the controller's account, plus a short technical retention period for backups described in Annex 2.

3. Nature and purpose of processing

Storage, retrieval, encryption-at-rest, and display of journal entries, reflections, intentions, and account metadata; sending transactional and reminder emails; and generating in-product deterministic Insights aggregations from the controller's data subjects' own entries.

4. Categories of data subjects and personal data

Data subjects: the controller's authorised end users (employees, clients, students).

Personal data: email address, display name, birth year, timezone, account preferences, authentication metadata, audit logs.

Special categories (Art. 9): free-text journal content that may reveal data concerning the data subject's mental or emotional health. Stored encrypted at rest with per-user data-encryption keys.

5. Obligations of the processor

We will:

  • process personal data only on documented instructions from the controller (Art. 28(3)(a));
  • ensure persons authorised to process personal data are bound by confidentiality (Art. 28(3)(b));
  • implement the technical and organisational security measures in Annex 1, meeting Art. 32;
  • assist the controller in responding to data-subject rights requests under Arts. 15–22;
  • assist with DPIAs (Art. 35) and prior consultations (Art. 36);
  • notify the controller of a personal data breach without undue delay and in any event within 48 hours of becoming aware (Art. 33(2));
  • on termination, at the controller's choice, delete or return all personal data and existing copies, unless storage is required by law (Art. 28(3)(g)).

6. Sub-processors

The controller grants general written authorisation for the sub-processors listed at /legal/subprocessors. We will give 14 days' notice before adding or replacing a sub-processor; the controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a solution, failing which the controller may terminate the affected service.

7. International transfers

Where personal data is transferred outside the EEA or the UK, such transfers are subject to the European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum, both incorporated by reference into this DPA. Transfer impact assessments are available on request.

8. Audit rights

We make available all information necessary to demonstrate compliance with Art. 28 and allow for audits, including inspections, conducted by the controller or an auditor mandated by the controller, no more than once per year, with at least 30 days' notice, subject to confidentiality. Independent third-party audit reports (where available) satisfy this obligation.

9. Liability and governing law

Liability is limited as set out in the controller's main services agreement with us. This DPA is governed by the law of Ireland; the courts of Dublin have exclusive jurisdiction, without prejudice to the data subject's statutory rights.

Annex 1 — Technical and organisational measures (Art. 32)

  • Encryption in transit (TLS 1.2+) and at rest for all journal content (AES-GCM with per-user wrapped DEK).
  • Row-Level Security enforced on every user-data table; owner-scoped access only.
  • Multi-factor authentication available to all users; mandatory for admin tooling.
  • Append-only audit logging for authentication, consent, export, deletion, and admin events.
  • Least-privilege access; service-role credentials never exposed to the browser.
  • Vulnerability disclosure at /.well-known/security.txt.
  • Backups encrypted; restoration tested quarterly.

Annex 2 — Retention and deletion

Account data and journal content are retained for the life of the account. On deletion, data is purged from primary systems within 30 days and from encrypted backups within 90 days.

Annex 3 — Contact

Data Protection Officer: dpo@onwardsupwards.app
EU representative: Instant EU GDPR Representative Ltd, Lucan Co. Dublin, Ireland.
UK representative: GDPR Local Ltd, Newcastle upon Tyne, UK.